7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079

General

Target

7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
Size

721KB
MD5

50f3c43ed43497ee1b222d999104dba6
SHA1

4d3772c9696ed20667d66bdf1fe300482c8db1a1
SHA256

7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079
SHA512

0d99c38c6516f929d919a28ecf8062fbed09eebd51f05b4a030418e53a8ea2a4c348c1e40bd2f0ba968f0ead42d88a0ffac92415401264e46de517b044e49c84
SSDEEP

12288:NE7fYNuxijXEsS5tONTJO3looAnXYcsPHjQ603Q/nS4Roz68WT4sw30R0MuC2iN:C7fg785mVOcX2DQrqO68fswEOMuC1

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 2612 set thread context of 1212	2612	MSBuild.exe	10
PID 2612 set thread context of 2448	2612	MSBuild.exe	31
PID 2448 set thread context of 1212	2448	ftp.exe	10

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe
2448	ftp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2612	MSBuild.exe
1212	Explorer.EXE
1212	Explorer.EXE
2448	ftp.exe
2448	ftp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 2876 wrote to memory of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 2876 wrote to memory of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 2876 wrote to memory of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 2876 wrote to memory of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 2876 wrote to memory of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 2876 wrote to memory of 2612	2876	7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe	28
PID 1212 wrote to memory of 2448	1212	Explorer.EXE	31
PID 1212 wrote to memory of 2448	1212	Explorer.EXE	31
PID 1212 wrote to memory of 2448	1212	Explorer.EXE	31
PID 1212 wrote to memory of 2448	1212	Explorer.EXE	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe
  "C:\Users\Admin\AppData\Local\Temp\7f6c6e054579e9cb04200a5179117b8e17dbdddb0c280e85f7fe9d77a5a90079.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2612
- C:\Windows\SysWOW64\ftp.exe
  "C:\Windows\SysWOW64\ftp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-20-0x0000000003A20000-0x0000000003B20000-memory.dmp

Filesize
1024KB

Download
memory/1212-30-0x0000000008FC0000-0x0000000009F56000-memory.dmp

Filesize
15.6MB

Download
memory/1212-23-0x0000000008FC0000-0x0000000009F56000-memory.dmp

Filesize
15.6MB

Download
memory/2448-31-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2448-29-0x0000000001CF0000-0x0000000001D93000-memory.dmp

Filesize
652KB

Download
memory/2448-28-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2448-27-0x0000000001E80000-0x0000000002183000-memory.dmp

Filesize
3.0MB

Download
memory/2448-25-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2448-24-0x0000000000080000-0x00000000000BC000-memory.dmp

Filesize
240KB

Download
memory/2612-21-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-14-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-26-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-17-0x0000000000B30000-0x0000000000E33000-memory.dmp

Filesize
3.0MB

Download
memory/2612-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-19-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-22-0x0000000000160000-0x0000000000184000-memory.dmp

Filesize
144KB

Download
memory/2876-8-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/2876-0-0x0000000000300000-0x00000000003BA000-memory.dmp

Filesize
744KB

Download
memory/2876-7-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-6-0x0000000005670000-0x00000000056F8000-memory.dmp

Filesize
544KB

Download
memory/2876-15-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-5-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2876-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2876-3-0x00000000002C0000-0x00000000002E0000-memory.dmp

Filesize
128KB

Download
memory/2876-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/2876-1-0x0000000074C30000-0x000000007531E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing